Acceptable Use Policy
Effective Date: May 4, 2026 Last Updated: May 4, 2026
This Acceptable Use Policy ("AUP") governs how you may use the ConcertoGRC platform ("Platform") and related services. This policy supplements our Terms of Use and applies to all users of the Platform.
Permitted Use
The Platform is designed for governance, risk, and compliance management. Permitted uses include:
- Managing compliance programs across frameworks (SOC 2, ISO 27001, HIPAA, PCI DSS, and others)
- Tracking and collecting evidence for audit readiness
- Managing risk registers, vendor assessments, and policy lifecycles
- Conducting security awareness training and phishing simulations for your own employees
- Running tabletop exercises with your team and authorized participants
- Monitoring infrastructure and endpoint compliance
- Generating compliance reports and meeting materials
- Managing user access lifecycle and identity governance
Prohibited Uses
You may not use the Platform to:
Security and Integrity
- Attempt to access data belonging to other organizations or tenants
- Probe, scan, or test the vulnerability of the Platform without written authorization
- Circumvent or disable any security features, access controls, or usage limits
- Reverse engineer, decompile, or disassemble any part of the Platform
- Introduce malware, viruses, or any malicious code
- Interfere with the availability or performance of the Services for other users
Data and Content
- Store data that you do not have the right to possess or process
- Upload content that is illegal, defamatory, or infringes on third-party intellectual property
- Use the Platform to process data in violation of applicable data protection laws
- Store payment card data (PAN, CVV) or other regulated data types the Platform is not designed to handle
Phishing and Training Simulations
- Send phishing simulations to individuals outside your organization without their employer's authorization
- Use the phishing simulation module for actual social engineering attacks
- Impersonate government agencies, law enforcement, or emergency services in simulation templates
AI Features
- Use AI-generated content as final authoritative output without human review
- Attempt to extract training data or manipulate AI models through prompt injection
- Submit content designed to generate illegal, harmful, or misleading output
General
- Resell, sublicense, or provide the Platform as a managed service to third parties without a written agreement
- Use the Platform in a way that violates any applicable law or regulation
- Misrepresent your identity, role, or authorization level
Your Responsibilities
As a user of the Platform, you are responsible for:
- Credential security -- Keeping your login credentials confidential and enabling MFA
- Data accuracy -- Ensuring the compliance data you enter is accurate and current
- Access management -- Administrators must promptly revoke access for departing employees
- Integration security -- Safeguarding API keys and OAuth tokens for connected integrations
- Compliance with laws -- Using the Platform in compliance with all laws applicable to your organization and industry
Reporting Violations
If you become aware of any violation of this AUP, please report it to security@concertocompliance.com.
Enforcement
We may investigate potential violations of this AUP and take appropriate action, including:
- Issuing a warning and requesting corrective action
- Temporarily suspending access to the Platform
- Permanently terminating access for serious or repeated violations
- Reporting illegal activity to law enforcement
We will make reasonable efforts to notify the organization's administrator before taking enforcement action, except where immediate action is necessary to protect the security or integrity of the Platform.